In early December 2012, I attended Gartner’s annual Identity and Access Management Summit in Las Vegas, and it was interesting—exciting, actually—to see how much has changed since last year. The most obvious difference from 2011 was the popularity of the conference. The 2011 conference fit comfortably into the conference area of the Sheraton San Diego, a regular-sized hotel on the city’s waterfront. In 2012, it was held in the Caesar’s Palace conference center, where the much broader-interest Data Center conference was held in 2010. (I can’t really say the conference has “moved up” to Caesar’s; I’ll trade sea air for cigarette smoke any day.) The keynote ballroom was double the size of the 2011 conference, and it was comfortably full. Tellingly, when Gartner Managing VP Chris Howard asked for a show of hands of first-time attendees, fully 75 percent of the people in the room responded. From this, I’d deduce that IT pros and their managers are getting management attention on the need for Identity and Access Management (IAM) guidance—certainly enough to get approval to attend a premium conference on the subject!


Trends Revealed

The rapid rise of interest in identity management as a service (IDaaS) continues, with more vendors offering single sign-on (SSO) capabilities to hundreds of Software as a Service (SaaS) applications with federation for sites that support it and password vaulting for the rest. In the closing session, Gartner Research VP Ian Glazer remarked that there was an “incredible force to move federation to the cloud,” and that the perception of this architecture had changed dramatically in just a couple of years, from an interesting outlier solution to one that many enterprises are seriously considering and implementing. Analyst Earl Perkins stated at the Garner Catalyst Conference 2012 several months ago that Gartner predicts 40 percent of all IAM sales by 2015 will go to IDaaS solutions.

IAM is assuming a new role in business. Business people (who are, after all, the customers) are now becoming more involved in IAM projects (compared, in the past, with only IT) and are influencing the choices. A major theme for the conference was Gartner’s concept of a “nexus of forces.” Three of these forces—mobility, cloud, and business intelligence—came out of a survey about what CIOs are currently prioritizing. Gartner added a fourth (social) because although survey participants didn’t explicitly state social as a priority, many of their customer-related goals were in fact social. These forces, Gartner believes, support how people want to interact with each other and with their information.

Interest in mobile device management (MDM) has grown considerably; the reality of Bring Your Own Device (BYOD) seemed to have settled in with attendees. The complexities of providing mobile device access to corporate data without entering a very sensitive Active Directory (AD) password, and pushing policies out to them, demonstrate the need for MDM as well as for better-recognized IAM solutions. And as I’ve mentioned before, IAM vendors are moving away from providing point solutions and are instead building products (or suites of products) that encompass many different IAM capabilities, theoretically making management of this area a little easier and cheaper. My discussions with vendors on the trade show floor backed this up, and Gartner analysts are saying the same thing. Many vendors are now providing MDM capabilities in their IAM products, though the details vary.

One of the challenges of familiarizing yourself with the ins and outs of cloud identity is that it uses a completely different set of protocols and terms than what the enterprise-centric, Kerberos-loving IT pro is familiar with. In an effort to educate attendees, in a session titled “New-School Identity Protocols Fight for Your Love,” Glazer hosted a panel of five experts, each representing a major cloud identity–related protocol. (The Twitterverse immediately dubbed it a “protocol smackdown”—two words I never expected to see next to each other.) OAuth was represented by Dick “The Hammer” Hardt, OpenID Connect by Nat “Never Surrender” Sakimura, Security Assertion Markup Language (SAML) by Paul “Mad Man” Madsen, System for Cross-domain Identity Management (SCIM) by Kelly “The Killer” Grizzle, and eXtensible Access Control Markup Language (XACML) by David “Boom Boom” Brossard. Each panelist was allowed 20 slides at 20 seconds each to present an overview of his or her protocol and explain why it was so cool. This presentation format is known as Pecha Kucha, and it was originally conceived as a concise way to make presentations on design topics such as architecture. In a technical presentation, it can seem like information is blasting at you from a firehose, and you’re further distracted by wondering when the slide will change and whether the speaker will keep up. But this approach did get the presentations out of the way in 30 minutes, allowing for panelists to discuss protocol pros and cons among themselves and to answer audience questions. An audience vote at the end declared the SAML authentication protocol (and the venerable Paul Madsen of Ping Identity) the winner.


Still in Flux

Demonstrating that he can speak as well as write, humorist Dave Barry gave an entertaining keynote about his knowledge of IAM. (Executive summary: He knows nearly nothing.) Barry has given this same routine many times before at Gartner events, I suspect; I saw him deliver the keynote address at the 2010 Gartner Data Center conference, and he also spoke at the 2012 version taking place across the Strip at the Venetian on the same day. Nonetheless, he’s very funny. My favorite quote from Barry’s keynote is, “Cloud computing is about keeping the user’s data away from their cream cheese.” Cloud identity technology—and its associated market—continues to mature, but almost all aspects of it are still in flux. At the same time, its visibility to mainstream IT is on a strong upswing. IT pros looking into cloud identity are finding a very different and, in many respects, still unsettled world. One of the best things these professionals can do to help settle the dust is to push the SaaS or cloud identity vendors they have toward standards featured in the above smackdown. It’s customers, with their cash, who have the loudest voices in this area. That also is one of the purposes of this cloud identity column: to inform IT pros and managers about new aspects of identity that they’ll soon be responsible for, if they aren’t already.